コード例 #1
0
ファイル: fingerprint.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        with open(pkg_resources.resource_filename(
                __name__, os.path.join('..', 'libs', 'tlds.txt')),
                  'r',
                  encoding='utf-8') as f:
            self.re_tlds = re.compile('^(?:%s)$' % '|'.join(
                re.escape(l.strip())
                for l in f if l and not l.startswith('#')),
                                      flags=re.IGNORECASE)

        with self.context.store() as store:
            for cl in store.query().consts(
                    InvocationPattern(
                        'const-string',
                        r'://|^/[{}$%a-zA-Z0-9_-]+(/[{}$%a-zA-Z0-9_-]+)+|^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+(:[0-9]+)?$'
                    )):
                for match in self.analyzed(cl.p[1].v):
                    for v in match['value']:
                        yield Issue(detector_id=self.option,
                                    confidence=IssueConfidence.FIRM,
                                    cvss3_vector=self.cvss,
                                    summary='detected %s' % match['type_'],
                                    info1=v,
                                    source=store.query().qualname_of(cl))
            for name, val in self.context.string_resources():
                for match in self.analyzed(val):
                    for v in match['value']:
                        yield Issue(detector_id=self.option,
                                    confidence=IssueConfidence.FIRM,
                                    cvss3_vector=self.cvss,
                                    summary='detected %s' % match['type_'],
                                    info1=v,
                                    source='R.string.%s' % name)
コード例 #2
0
ファイル: manifest.py プロジェクト: monolithworks/trueseeing
  def detect(self) -> Iterable[Issue]:
    policy = ComponentNamePolicy()
    ns = dict(android='http://schemas.android.com/apk/res/android')

    for name in set(itertools.chain(
        self._context.parsed_manifest().getroot().xpath('//activity[not(@android:permission)]/intent-filter/../@android:name', namespaces=ns),
        self._context.parsed_manifest().getroot().xpath('//activity[not(@android:permission) and (@android:exported="true")]/@android:name', namespaces=ns),
      )):
      filter_ = [name for name in self._context.parsed_manifest().getroot().xpath(f'//activity[@android:name="{name}"]/intent-filter/action/@android:name', namespaces=ns) if not policy.looks_public(name)]
      if not filter_:
        yield Issue(
          detector_id=self.option,
          confidence='certain',
          cvss3_vector=self._cvss1,
          summary='manipulatable Activity',
          info1=name,
          source='AndroidManifest.xml',
          synopsis="Application is exporting one or more activities.",
          description="Application is exporting one or more activities.  Activities are entrypoints to the application.  Exporting enables them to be invoked from other applications or system.  Unnecessary export increases attack surfaces.  Please note that Android automatically exports ones with IntentFilter defined in the manifest.  This issue is just an observation; exporting activities alone does not constitute an security issue.",
          solution="Review them, and restrict access with application-specific permissions if necessary."
        )
      else:
        yield Issue(
          detector_id=self.option,
          confidence='certain',
          cvss3_vector=self._cvss2,
          summary='manipulatable Activity with private action names',
          info1=name,
          info2=', '.join(filter_),
          source='AndroidManifest.xml',
          synopsis="Application is exporting one or more activities using seemingly private action names, suggesting inadvent export.",
          description="Application is exporting one or more activities using seemingly private action names, suggesting inadvent export.  Activities are entrypoints to the application.  Exporting enables them to be invoked from other applications or system.  Inadvent exporting enables malwares or malicious users to manipulate the application.  Please note that Android automatically exports ones with IntentFilter defined in the manifest.",
          solution="Review them, and restrict access with application-specific permissions if necessary."
        )
コード例 #3
0
ファイル: manifest.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        policy = ComponentNamePolicy()
        ns = dict(android='http://schemas.android.com/apk/res/android')

        for name in set(
                itertools.chain(
                    self.context.parsed_manifest().getroot().xpath(
                        '//provider[not(@android:permission)]/intent-filter/../@android:name',
                        namespaces=dict(
                            android='http://schemas.android.com/apk/res/android'
                        )),
                    self.context.parsed_manifest().getroot().xpath(
                        '//provider[not(@android:permission) and (@android:exported="true")]/@android:name',
                        namespaces=dict(
                            android='http://schemas.android.com/apk/res/android'
                        )),
                )):
            filter_ = [
                name
                for name in self.context.parsed_manifest().getroot().xpath(
                    '//receiver[@android:name="%s"]/intent-filter/action/@android:name'
                    % name,
                    namespaces=ns) if not policy.looks_public(name)
            ]
            if not filter_:
                yield Issue(
                    detector_id=self.option,
                    confidence=IssueConfidence.CERTAIN,
                    cvss3_vector=self.cvss1,
                    summary='manipulatable ContentProvider',
                    info1=name,
                    source='AndroidManifest.xml',
                    synopsis=
                    "Application is exporting one or more content providers.",
                    description=
                    "Application is exporting one or more content providers.  Content providers defines REST/RDBMS-like IPC mechanism for the application.  Exporting enables them to be invoked from other applications or system.  Unnecessary export increases attack surfaces.  Please note that Android automatically exports them (API 8 or ealier) or ones with IntentFilter defined in the manifest (API level 9 or later).  This issue is just an observation; exporting content providers alone does not constitute an security issue.",
                    solution='''\
  Review them and explicitly unexport or restrict access with application-specific permissions if necessary.  To explicitly unexporting an content provider, define the following attribute to the <provider> tag in the manifest:

  android:export="false"
  ''')
            else:
                yield Issue(
                    detector_id=self.option,
                    confidence=IssueConfidence.CERTAIN,
                    cvss3_vector=self.cvss2,
                    summary=
                    'manipulatable ContentProvider with private action names',
                    info1=name,
                    info2=', '.join(filter_),
                    source='AndroidManifest.xml',
                    synopsis=
                    "Application is exporting one or more content providers using seemingly private action names, suggesting inadvent export.",
                    description=
                    "Application is exporting one or more content providers using seemingly private action names, suggesting inadvent export.  Content providers defines REST/RDBMS-like IPC mechanism for the application.  Exporting enables them to be invoked from other applications or system.  Inadvent exporting enables malwares or malicious users to manipulate the application.  Please note that Android automatically exports them (API 8 or ealier) or ones with IntentFilter defined in the manifest (API level 9 or later).",
                    solution='''\
  Review them and explicitly unexport or restrict access with application-specific permissions if necessary.  To explicitly unexporting an content provider, define the following attribute to the <provider> tag in the manifest:

  android:export="false"
  ''')
コード例 #4
0
 def detect(self) -> Iterable[Issue]:
   for c in (self._class_name_of(self._context.source_name_of_disassembled_class(r)) for r in self._context.disassembled_classes()):
     if re.search('(?:^|\.)a$', c):
       yield Issue(detector_id=self.option, confidence='certain', cvss3_vector=self._cvss_true, summary='detected obfuscator', info1='ProGuard')
       break
   else:
     yield Issue(detector_id=self.option, confidence='firm', cvss3_vector=self._cvss_false, summary='lack of obfuscation')
コード例 #5
0
ファイル: report.py プロジェクト: monolithworks/trueseeing
 def _formatted(self, issue: Issue) -> str:
     return '{source}:{row}:{col}:{severity}{{{confidence}}}:{description} [-W{detector_id}]'.format(
         source=noneif(issue.source, '(global)'),
         row=noneif(issue.row, 0),
         col=noneif(issue.col, 0),
         severity=issue.severity(),
         confidence=issue.confidence,
         description=issue.brief_description(),
         detector_id=issue.detector_id)
コード例 #6
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        with self.context.store() as store:
            targets = {'WebView', 'XWalkView', 'GeckoView'}

            more = True
            while more:
                more = False
                for cl in store.query().related_classes('|'.join(targets)):
                    name = store.query().class_name_of(cl)
                    if name not in targets:
                        targets.add(name)
                        more = True

            for fn in (n for n in self.context.disassembled_resources()
                       if 'layout' in n):
                with open(fn, 'rb') as f:
                    r = ET.parse(f,
                                 parser=ET.XMLParser(recover=True)).getroot()
                    for t in functools.reduce(
                            lambda x, y: x + y,
                        (r.xpath('//%s' %
                                 self.context.class_name_of_dalvik_class_type(
                                     c).replace('$', '_')) for c in targets)):
                        size = LayoutSizeGuesser().guessed_size(t, fn)
                        if size > 0.5:
                            try:
                                yield Issue(
                                    detector_id=self.option,
                                    confidence=IssueConfidence.TENTATIVE,
                                    cvss3_vector=self.cvss1,
                                    summary='tamperable webview',
                                    info1='{0} (score: {1:.02f})'.format(
                                        t.attrib['{0}id'.format(
                                            self.xmlns_android)], size),
                                    source=self.context.
                                    source_name_of_disassembled_resource(fn))
                            except KeyError as e:
                                log.warning(
                                    'SecurityTamperableWebViewDetector.do_detect: missing key {0}'
                                    .format(e))

            # XXX: crude detection
            for op in store.query().invocations(
                    InvocationPattern('invoke-', ';->loadUrl')):
                try:
                    v = DataFlows.solved_constant_data_in_invocation(
                        store, op, 0)
                    if v.startswith('http://'):
                        yield Issue(detector_id=self.option,
                                    confidence=IssueConfidence.FIRM,
                                    cvss3_vector=self.cvss2,
                                    summary='tamperable webview with URL',
                                    info1=v,
                                    source=store.query().qualname_of(op))
                except DataFlows.NoSuchValueError:
                    pass
コード例 #7
0
    def detect(self) -> Iterable[Issue]:
        import lxml.etree as ET
        from functools import reduce
        with self._context.store() as store:
            targets = {'WebView', 'XWalkView', 'GeckoView'}

            more = True
            while more:
                more = False
                for cl in store.query().related_classes('|'.join(targets)):
                    name = store.query().class_name_of(cl)
                    if name is not None and name not in targets:
                        targets.add(name)
                        more = True

            for fn in (n for n in self._context.disassembled_resources()
                       if 'layout' in n):
                with open(fn, 'rb') as f:
                    r = ET.parse(f,
                                 parser=ET.XMLParser(recover=True)).getroot()
                    for t in reduce(lambda x, y: x + y, (r.xpath('//{}'.format(
                            self._context.class_name_of_dalvik_class_type(
                                c).replace('$', '_'))) for c in targets)):
                        size = LayoutSizeGuesser().guessed_size(t, fn)
                        if size > 0.5:
                            try:
                                yield Issue(
                                    detector_id=self.option,
                                    confidence='tentative',
                                    cvss3_vector=self._cvss1,
                                    summary=self._summary1,
                                    info1='{0} (score: {1:.02f})'.format(
                                        t.attrib[f'{self._xmlns_android}id'],
                                        size),
                                    source=self._context.
                                    source_name_of_disassembled_resource(fn))
                            except KeyError as e:
                                ui.warn(
                                    f'SecurityTamperableWebViewDetector.do_detect: missing key {e}'
                                )

            # XXX: crude detection
            for op in store.query().invocations(
                    InvocationPattern('invoke-', ';->loadUrl')):
                try:
                    v = DataFlows.solved_constant_data_in_invocation(
                        store, op, 0)
                    if v.startswith('http://'):
                        yield Issue(detector_id=self.option,
                                    confidence='firm',
                                    cvss3_vector=self._cvss2,
                                    summary=self._summary2,
                                    info1=v,
                                    source=store.query().qualname_of(op))
                except DataFlows.NoSuchValueError:
                    pass
コード例 #8
0
ファイル: manifest.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        policy = ComponentNamePolicy()
        ns = dict(android='http://schemas.android.com/apk/res/android')

        for name in set(
                itertools.chain(
                    self.context.parsed_manifest().getroot().xpath(
                        '//receiver[not(@android:permission)]/intent-filter/../@android:name',
                        namespaces=ns),
                    self.context.parsed_manifest().getroot().xpath(
                        '//receiver[not(@android:permission) and (@android:exported="true")]/@android:name',
                        namespaces=ns),
                )):
            filter_ = [
                name
                for name in self.context.parsed_manifest().getroot().xpath(
                    '//receiver[@android:name="%s"]/intent-filter/action/@android:name'
                    % name,
                    namespaces=ns) if not policy.looks_public(name)
            ]
            if not filter_:
                yield Issue(
                    detector_id=self.option,
                    confidence=IssueConfidence.CERTAIN,
                    cvss3_vector=self.cvss1,
                    summary='manipulatable BroadcastReceiver',
                    info1=name,
                    source='AndroidManifest.xml',
                    synopsis=
                    "Application is exporting one or more broadcast receivers.",
                    description=
                    "Application is exporting one or more broadcast receivers.  Broadcast receivers are system-wide event listeners of the application.  Exporting enables them to be invoked from other applications or system.  Unnecessary export increases attack surfaces.  Please note that Android automatically exports ones with IntentFilter defined in the manifest.  This issue is just an observation; exporting broadcast receivers alone does not constitute an security issue.",
                    solution=
                    "Review them and restrict access with application-specific permissions if necessary.  Consider the use of LocalBroadcastReceiver for ones that system-wide reachability is not needed."
                )
            else:
                yield Issue(
                    detector_id=self.option,
                    confidence=IssueConfidence.CERTAIN,
                    cvss3_vector=self.cvss2,
                    summary=
                    'manipulatable BroadcastReceiver with private action names',
                    info1=name,
                    info2=', '.join(filter_),
                    source='AndroidManifest.xml',
                    synopsis=
                    "Application is exporting one or more broadcast receivers using seemingly private action names, suggesting inadvent export.",
                    description=
                    "Application is exporting one or more broadcast receivers using seemingly private action names, suggesting inadvent export.  Broadcast receivers are system-wide event listeners of the application.  Exporting enables them to be invoked from other applications or system.  Inadvent exporting enables malwares or malicious users to manipulate the application.  Please note that Android automatically exports ones with IntentFilter defined in the manifest.",
                    solution=
                    "Review them, and restrict access with application-specific permissions if necessary."
                )
コード例 #9
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
 def do_detect(self):
     with self.context.store() as store:
         for cl in store.query().invocations(
                 InvocationPattern(
                     'invoke-',
                     'L.*->([dwie]|debug|error|exception|warning|info|notice|wtf)\(Ljava/lang/String;Ljava/lang/String;.*?Ljava/lang/(Throwable|.*?Exception);|L.*;->print(ln)?\(Ljava/lang/String;|LException;->printStackTrace\('
                 )):
             if 'print' not in cl.p[1].v:
                 try:
                     yield Issue(
                         detector_id=self.option,
                         confidence=IssueConfidence.TENTATIVE,
                         cvss3_vector=self.cvss,
                         summary='detected logging',
                         info1=cl.p[1].v,
                         info2=DataFlows.solved_constant_data_in_invocation(
                             store, cl, 1),
                         source=store.query().qualname_of(cl))
                 except (DataFlows.NoSuchValueError):
                     yield Issue(detector_id=self.option,
                                 confidence=IssueConfidence.TENTATIVE,
                                 cvss3_vector=self.cvss,
                                 summary='detected logging',
                                 info1=cl.p[1].v,
                                 source=store.query().qualname_of(cl))
             elif 'Exception;->' not in cl.p[1].v:
                 try:
                     yield Issue(
                         detector_id=self.option,
                         confidence=IssueConfidence.TENTATIVE,
                         cvss3_vector=self.cvss,
                         summary='detected logging',
                         info1=cl.p[1].v,
                         info2=DataFlows.solved_constant_data_in_invocation(
                             store, cl, 0),
                         source=store.query().qualname_of(cl))
                 except (DataFlows.NoSuchValueError):
                     yield Issue(detector_id=self.option,
                                 confidence=IssueConfidence.TENTATIVE,
                                 cvss3_vector=self.cvss,
                                 summary='detected logging',
                                 info1=cl.p[1].v,
                                 source=store.query().qualname_of(cl))
             else:
                 yield Issue(detector_id=self.option,
                             confidence=IssueConfidence.TENTATIVE,
                             cvss3_vector=self.cvss,
                             summary='detected logging',
                             info1=cl.p[1].v,
                             source=store.query().qualname_of(cl))
コード例 #10
0
    def do_detect_case2(self):
        # XXX: Crude detection
        def should_be_secret(store, k, val):
            return any(
                x in store.query().qualname_of(k).lower()
                for x in ['inapp', 'billing', 'iab', 'sku', 'store', 'key'])

        pat = '^MI[IG][0-9A-Za-z+/=-]{32,}AQAB'
        with self.context.store() as store:
            for cl in store.query().consts(
                    InvocationPattern('const-string', pat)):
                val = cl.p[1].v
                yield Issue(
                    detector_id=self.option,
                    cvss3_vector=self.cvss,
                    confidence={
                        True: IssueConfidence.FIRM,
                        False: IssueConfidence.TENTATIVE
                    }[should_be_secret(store, cl, val)],
                    summary='insecure cryptography: static keys (2)',
                    info1='"%(target_val)s" [%(target_val_len)d] (X.509)' %
                    dict(target_val=val, target_val_len=len(val)),
                    source=store.query().qualname_of(cl),
                    synopsis=
                    'Traces of X.509 certificates has been found the application binary.',
                    description='''\
Traces of X.509 certificates has been found in the application binary.  X.509 certificates describe public key materials.  Their notable uses include Google Play in-app billing identity.  If is hardcoded, attackers can extract or replace them.
''',
                    solution='''\
Use a device or installation specific information, or obfuscate them.  Especially, do not use the stock implementation of in-app billing logic.
''')
            for name, val in self.context.string_resources():
                if re.match(pat, val):
                    yield Issue(
                        detector_id=self.option,
                        cvss3_vector=self.cvss,
                        confidence=IssueConfidence.TENTATIVE,
                        summary='insecure cryptography: static keys (2)',
                        info1='"%(target_val)s" [%(target_val_len)d] (X.509)' %
                        dict(target_val=val, target_val_len=len(val)),
                        source='R.string.%s' % name,
                        synopsis=
                        'Traces of X.509 certificates has been found the application binary.',
                        description='''\
Traces of X.509 certificates has been found in the application binary.  X.509 certificates describe public key materials.  Their notable uses include Google Play in-app billing identity.  If is hardcoded, attackers can extract or replace them.
''',
                        solution='''\
Use a device or installation specific information, or obfuscate them.  Especially, do not use the stock implementation of in-app billing logic.
''')
コード例 #11
0
ファイル: crypto.py プロジェクト: monolithworks/trueseeing
  def _do_detect_case1(self) -> Iterable[Issue]:
    import base64
    import binascii
    def looks_like_real_key(k: str) -> bool:
      # XXX: silly
      return len(k) >= 8 and not any(x in k for x in ('Padding', 'SHA1', 'PBKDF2', 'Hmac', 'emulator'))

    with self._context.store() as store:
      for cl in store.query().invocations(InvocationPattern('invoke-', '^Ljavax?.*/(SecretKey|(Iv|GCM)Parameter|(PKCS8|X509)EncodedKey)Spec|^Ljavax?.*/MessageDigest;->(update|digest)')):
        try:
          for nr in self._important_args_on_invocation(cl):
            for found in DataFlows.solved_possible_constant_data_in_invocation(store, cl, nr):
              try:
                decoded = base64.b64decode(found)
                info1 = '"{target_val}" [{target_val_len}] (base64; "{decoded_val}" [{decoded_val_len}])'.format(target_val=found, target_val_len=len(found), decoded_val=binascii.hexlify(decoded).decode('ascii'), decoded_val_len=len(decoded))
              except (ValueError, binascii.Error):
                info1 = f'"{found}" [{len(found)}]'

              if looks_like_real_key(found):
                yield Issue(
                  detector_id=self.option,
                  cvss3_vector=self._cvss,
                  confidence='firm',
                  summary='insecure cryptography: static keys',
                  info1=info1,
                  source=store.query().qualname_of(cl),
                  synopsis='Traces of cryptographic material has been found the application binary.',
                  description='''\
Traces of cryptographic material has been found in the application binary.  If cryptographic material is hardcoded, attackers can extract or replace them.
''',
                  solution='''\
Use a device or installation specific information, or obfuscate them.
'''
                )
              else:
                yield Issue(
                  detector_id=self.option,
                  cvss3_vector=self._cvss_nonkey,
                  confidence='tentative',
                  summary='Cryptographic constants detected',
                  info1=info1,
                  source=store.query().qualname_of(cl),
                  synopsis='Possible cryptographic constants have been found.',
                  description='''\
Possible cryptographic constants has been found in the application binary.
'''
                )
        except IndexError:
          pass
コード例 #12
0
    def do_detect(self):
        with self.context.store() as store:
            for cl in store.query().invocations(
                    InvocationPattern(
                        'invoke-static',
                        'Ljavax/crypto/Cipher;->getInstance\(Ljava/lang/String;.*?\)'
                    )):
                try:
                    target_val = DataFlows.solved_possible_constant_data_in_invocation(
                        store, cl, 0)
                    if any((('ECB' in x or '/' not in x) and 'RSA' not in x)
                           for x in target_val):
                        yield Issue(
                            detector_id=self.option,
                            cvss3_vector=self.cvss,
                            confidence=IssueConfidence.CERTAIN,
                            summary=
                            'insecure cryptography: cipher might be operating in ECB mode',
                            info1=','.join(target_val),
                            source=store.query().qualname_of(cl),
                            synopsis=
                            'The application might be using ciphers in ECB mode.',
                            description='''\
              The application might be using symmetric ciphers in ECB mode.  ECB mode is the most basic operating mode that independently transform data blocks.  Indepent transformation leaks information about distribution in plaintext.
''',
                            solution='''\
Use CBC or CTR mode.
''')
                except (DataFlows.NoSuchValueError):
                    pass
コード例 #13
0
ファイル: fingerprint.py プロジェクト: simhaonline/trueseeing
 def detect(self):
     for c in (self.class_name_of(
             self.context.source_name_of_disassembled_class(r))
               for r in self.context.disassembled_classes()):
         if re.search('(?:^|\.)a$', c):
             yield Issue(detector_id=self.option,
                         confidence=IssueConfidence.CERTAIN,
                         cvss3_vector=self.cvss_true,
                         summary='detected obfuscator',
                         info1='ProGuard')
             break
     else:
         yield Issue(detector_id=self.option,
                     confidence=IssueConfidence.FIRM,
                     cvss3_vector=self.cvss_false,
                     summary='lack of obfuscation')
コード例 #14
0
ファイル: fingerprint.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        package = self.context.parsed_manifest().getroot().xpath(
            '/manifest/@package',
            namespaces=dict(
                android='http://schemas.android.com/apk/res/android'))[0]

        packages = dict()
        for fn in (self.context.source_name_of_disassembled_class(r)
                   for r in self.context.disassembled_classes()):
            family = self.package_family_of(self.package_name_of(fn))
            if family is not None:
                try:
                    packages[family].append(fn)
                except KeyError:
                    packages[family] = [fn]
                else:
                    pass
        packages = {
            k: v
            for k, v in packages.items() if not self.is_kind_of(k, package)
            and re.search(r'\.[a-zA-Z0-9]{4,}(?:\.|$)', k)
        }

        yield from (Issue(
            detector_id=self.option,
            confidence=IssueConfidence.FIRM,
            cvss3_vector=self.cvss,
            summary='detected library',
            info1='%s (score: %d)' % (p, len(packages[p])),
        ) for p in sorted(packages.keys()))
コード例 #15
0
ファイル: crypto.py プロジェクト: monolithworks/trueseeing
  def _do_detect_case2(self) -> Iterable[Issue]:
    # XXX: Crude detection
    def should_be_secret(store: Store, k: Op, val: str) -> bool:
      name = store.query().qualname_of(k)
      if name:
        return name.lower() in ['inapp','billing','iab','sku','store','key']
      else:
        return False

    pat = '^MI[IG][0-9A-Za-z+/=-]{32,}AQAB'
    with self._context.store() as store:
      for cl in store.query().consts(InvocationPattern('const-string', pat)):
        val = cl.p[1].v
        yield Issue(
          detector_id=self.option,
          cvss3_vector=self._cvss,
          confidence={True:'firm', False:'tentative'}[should_be_secret(store, cl, val)], # type: ignore[arg-type]
          summary='insecure cryptography: static keys (2)',
          info1=f'"{val}" [{len(val)}] (X.509)',
          source=store.query().qualname_of(cl),
          synopsis='Traces of X.509 certificates has been found the application binary.',
          description='''\
Traces of X.509 certificates has been found in the application binary.  X.509 certificates describe public key materials.  Their notable uses include Google Play in-app billing identity.  If is hardcoded, attackers can extract or replace them.
''',
          solution='''\
Use a device or installation specific information, or obfuscate them.  Especially, do not use the stock implementation of in-app billing logic.
'''
        )
      for name, val in self._context.string_resources():
        if re.match(pat, val):
          yield Issue(
            detector_id=self.option,
            cvss3_vector=self._cvss,
            confidence='tentative',
            summary='insecure cryptography: static keys (2)',
            info1=f'"{val}" [{len(val)}] (X.509)',
            source=f'R.string.{name}',
            synopsis='Traces of X.509 certificates has been found the application binary.',
            description='''\
Traces of X.509 certificates has been found in the application binary.  X.509 certificates describe public key materials.  Their notable uses include Google Play in-app billing identity.  If is hardcoded, attackers can extract or replace them.
''',
            solution='''\
Use a device or installation specific information, or obfuscate them.  Especially, do not use the stock implementation of in-app billing logic.
'''
          )
コード例 #16
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
 def do_detect(self):
     if self.context.get_min_sdk_version() <= 23:
         if not self.do_detect_plain_pins_x509():
             if not self.do_detect_plain_pins_hostnameverifier():
                 yield Issue(detector_id=self.option,
                             confidence=IssueConfidence.CERTAIN,
                             cvss3_vector=self.cvss,
                             summary='insecure TLS connection',
                             info1='no pinning detected')
コード例 #17
0
 def detect(self) -> Iterable[Issue]:
     if self._context.get_min_sdk_version() <= 23:
         if not self._do_detect_plain_pins_x509():
             if not self._do_detect_plain_pins_hostnameverifier():
                 yield Issue(detector_id=self.option,
                             confidence='certain',
                             cvss3_vector=self._cvss,
                             summary=self._summary,
                             info1='no pinning detected')
コード例 #18
0
 def detect(self) -> Iterable[Issue]:
     with self._context.store() as store:
         for cl in store.query().consts(
                 InvocationPattern('const-string', r'%s')):
             for t in self._analyzed(cl.p[1].v):
                 yield Issue(detector_id=self.option,
                             confidence=t['confidence'],
                             cvss3_vector=self._cvss,
                             summary=self._summary,
                             info1=t['value'],
                             source=store.query().qualname_of(cl))
         for name, val in self._context.string_resources():
             for t in self._analyzed(val):
                 yield Issue(detector_id=self.option,
                             confidence=t['confidence'],
                             cvss3_vector=self._cvss,
                             summary=self._summary,
                             info1=t['value'],
                             source=f'R.string.{name}')
コード例 #19
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
 def do_detect(self):
     with self.context.store() as store:
         for cl in store.query().consts(
                 InvocationPattern('const-string', r'%s')):
             for t in self.analyzed(cl.p[1].v):
                 yield Issue(detector_id=self.option,
                             confidence=t['confidence'],
                             cvss3_vector=self.cvss,
                             summary='detected format string',
                             info1=t['value'],
                             source=store.query().qualname_of(cl))
         for name, val in self.context.string_resources():
             for t in self.analyzed(val):
                 yield Issue(detector_id=self.option,
                             confidence=t['confidence'],
                             cvss3_vector=self.cvss,
                             summary='detected format string',
                             info1=t['value'],
                             source='R.string.%s' % name)
コード例 #20
0
 def do_detect(self):
     with self.context.store() as store:
         for cl in store.query().ops_of('xor-int/lit8'):
             target_val = int(cl.p[2].v, 16)
             if (cl.p[0].v == cl.p[1].v) and target_val > 1:
                 yield Issue(
                     detector_id=self.option,
                     cvss3_vector=self.cvss,
                     confidence=IssueConfidence.FIRM,
                     summary='insecure cryptography: non-random XOR cipher',
                     info1='0x%02x' % target_val,
                     source=store.query().qualname_of(cl))
コード例 #21
0
ファイル: crypto.py プロジェクト: monolithworks/trueseeing
 def detect(self) -> Iterable[Issue]:
   with self._context.store() as store:
     for cl in store.query().ops_of('xor-int/lit8'):
       target_val = int(cl.p[2].v, 16)
       if (cl.p[0].v == cl.p[1].v) and target_val > 1:
         yield Issue(
           detector_id=self.option,
           cvss3_vector=self._cvss,
           confidence='firm',
           summary='insecure cryptography: non-random XOR cipher',
           info1=f'0x{target_val:02x}',
           source=store.query().qualname_of(cl)
         )
コード例 #22
0
ファイル: manifest.py プロジェクト: simhaonline/trueseeing
 def do_detect(self):
     # TBD: compare with actual permission needs
     yield from (Issue(
         detector_id=self.option,
         confidence=IssueConfidence.CERTAIN,
         cvss3_vector=self.cvss,
         summary='open permissions',
         info1=p,
         source='AndroidManifest.xml',
         synopsis="Application is requesting one or more permissions.",
         description=
         "Application is requesting one or more permissions.  Permissions are an important security system of Android.  They control accesses to sensitive information (e.g. GPS, IMEI/IMSI, process stats, accounts, contacts, SMSs) or possibly dangerous/costly operation (e.g. SMSs, internet access, controlling system services, obstructing screens.)  Requesting ones are vital for proper functioning of application, though abusage leads to hurt privacy or device availability.  This issue is just an observation; requesting permissions alone does not constitute an security issue.",
     ) for p in self.context.permissions_declared())
コード例 #23
0
    def detect(self) -> Iterable[Issue]:
        with self._context.store() as store:
            for op in store.query().invocations(
                    InvocationPattern(
                        'invoke-',
                        'Landroid/net/Uri;->parse\(Ljava/lang/String;\)Landroid/net/Uri;'
                    )):
                try:
                    if DataFlows.solved_constant_data_in_invocation(
                            store, op, 0).startswith('content://sms/'):
                        yield Issue(detector_id=self.option,
                                    confidence='certain',
                                    cvss3_vector=self._cvss,
                                    summary=self._summary,
                                    info1='accessing SMS',
                                    source=store.query().qualname_of(op))
                except DataFlows.NoSuchValueError:
                    pass

            for op in store.query().invocations(
                    InvocationPattern('invoke-',
                                      'Landroid/telephony/SmsManager;->send')):
                yield Issue(detector_id=self.option,
                            confidence='certain',
                            cvss3_vector=self._cvss,
                            summary=self._summary,
                            info1='sending SMS',
                            source=store.query().qualname_of(op))

            for op in store.query().invocations(
                    InvocationPattern(
                        'invoke-',
                        'Landroid/telephony/SmsMessage;->createFromPdu\(')):
                yield Issue(detector_id=self.option,
                            confidence='firm',
                            cvss3_vector=self._cvss,
                            summary=self._summary,
                            info1='intercepting incoming SMS',
                            source=store.query().qualname_of(op))
コード例 #24
0
 def detect(self) -> Iterable[Issue]:
     with self._context.store() as store:
         for op in store.query().invocations(
                 InvocationPattern(
                     'invoke-',
                     'Landroid/provider/Settings\$Secure;->getString\(Landroid/content/ContentResolver;Ljava/lang/String;\)Ljava/lang/String;|Landroid/telephony/TelephonyManager;->getDeviceId\(\)Ljava/lang/String;|Landroid/telephony/TelephonyManager;->getSubscriberId\(\)Ljava/lang/String;|Landroid/telephony/TelephonyManager;->getLine1Number\(\)Ljava/lang/String;|Landroid/bluetooth/BluetoothAdapter;->getAddress\(\)Ljava/lang/String;|Landroid/net/wifi/WifiInfo;->getMacAddress\(\)Ljava/lang/String;|Ljava/net/NetworkInterface;->getHardwareAddress\(\)'
                 )):
             val_type = self.analyzed(store, op)
             if val_type is not None:
                 yield Issue(detector_id=self.option,
                             confidence='certain',
                             cvss3_vector=self._cvss,
                             summary=self._summary,
                             info1=f'getting {val_type}',
                             source=store.query().qualname_of(op))
コード例 #25
0
ファイル: manifest.py プロジェクト: monolithworks/trueseeing
  def detect(self) -> Iterable[Issue]:
    if self._context.parsed_manifest().getroot().xpath('//application[not(@android:allowBackup="false")]', namespaces=dict(android='http://schemas.android.com/apk/res/android')):
      yield Issue(
        detector_id=self.option,
        confidence='certain',
        cvss3_vector=self._cvss,
        summary='manipulatable backups',
        source='AndroidManifest.xml',
        synopsis="Application data can be backed up and restored with the Full Backup feature.",
        description="Application data can be backed up and restored with the Full Backup feature, thusly making it subjectible to the backup attack.",
        solution='''\
Review them and opt-out from the Full Backup feature if necessary.  To opt-out, define the following attribute to the <application> tag in the manifest:

android:allowBackup="false"
'''
      )
コード例 #26
0
ファイル: manifest.py プロジェクト: monolithworks/trueseeing
  def detect(self) -> Iterable[Issue]:
    if self._context.parsed_manifest().getroot().xpath('//application[@android:debuggable="true"]', namespaces=dict(android='http://schemas.android.com/apk/res/android')):
      yield Issue(
        detector_id=self.option,
        confidence='certain',
        cvss3_vector=self._cvss,
        summary='app is debuggable',
        source='AndroidManifest.xml',
        synopsis="Application can be debugged.",
        description="Application can be debugged (the debuggable bit is set.)  Debugging it gives attackers complete control of its process memory and control flow.",
        solution='''\
Disable the debuggable bit.  To disable it, define the following attribute to the <application> tag in the manifest:

android:debuggable="false"
'''
      )
コード例 #27
0
ファイル: report.py プロジェクト: monolithworks/trueseeing
    def generate(self) -> None:
        super().generate()
        from json import dumps
        with self._context.store().db as db:
            issues = []
            for no, row in enumerate(
                    db.execute(
                        'select distinct detector, summary, synopsis, description, seealso, solution, cvss3_score, cvss3_vector from analysis_issues order by cvss3_score desc'
                    )):
                instances: List[Dict[str, Any]] = []
                issues.append(
                    dict(no=no,
                         detector=row[0],
                         summary=row[1].title(),
                         synopsis=row[2],
                         description=row[3],
                         seealso=row[4],
                         solution=row[5],
                         cvss3_score=row[6],
                         cvss3_vector=row[7],
                         severity=CVSS3Scoring.severity_of(row[6]).title(),
                         instances=instances))
                for m in db.execute(
                        'select * from analysis_issues where detector=:detector and summary=:summary and cvss3_score=:cvss3_score',
                    {
                        v: row[k]
                        for k, v in {
                            0: 'detector',
                            1: 'summary',
                            6: 'cvss3_score'
                        }.items()
                    }):
                    issue = Issue.from_analysis_issues_row(m)
                    instances.append(
                        dict(info=issue.brief_info(),
                             source=issue.source,
                             row=issue.row,
                             col=issue.col))

            app = dict(package=self._context.parsed_manifest().getroot().xpath(
                '/manifest/@package',
                namespaces=dict(
                    android='http://schemas.android.com/apk/res/android'))[0],
                       issues=len(issues))
            self._write(dumps({"app": app, "issues": issues}, indent=2))
コード例 #28
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
 def do_detect(self):
     with self.context.store() as store:
         for cl in store.query().invocations(
                 InvocationPattern(
                     'invoke-virtual',
                     'Landroid/content/Context;->openFileOutput\(Ljava/lang/String;I\)'
                 )):
             try:
                 target_val = int(
                     DataFlows.solved_constant_data_in_invocation(
                         store, cl, 1), 16)
                 if target_val & 3:
                     yield Issue(detector_id=self.option,
                                 confidence=IssueConfidence.CERTAIN,
                                 cvss3_vector=self.cvss,
                                 summary='insecure file permission',
                                 info1={
                                     1: 'MODE_WORLD_READABLE',
                                     2: 'MODE_WORLD_WRITEABLE'
                                 }[target_val],
                                 source=store.query().qualname_of(cl))
             except (DataFlows.NoSuchValueError):
                 pass
コード例 #29
0
    def generate(self):
        super().generate()
        with self._context.store().db as db:
            issues = []
            for row, no in zip(
                    db.execute(
                        'select distinct detector, summary, synopsis, description, seealso, solution, cvss3_score, cvss3_vector from analysis_issues order by cvss3_score desc'
                    ), range(1, 2**32)):
                instances = []
                issues.append(
                    dict(no=no,
                         detector=row[0],
                         summary=row[1].title(),
                         synopsis=row[2],
                         description=row[3],
                         seealso=row[4],
                         solution=row[5],
                         cvss3_score=row[6],
                         cvss3_vector=row[7],
                         severity=CVSS3Scoring.severity_of(row[6]).title(),
                         instances=instances,
                         severity_panel_style={
                             'critical': 'panel-danger',
                             'high': 'panel-warning',
                             'medium': 'panel-warning',
                             'low': 'panel-success',
                             'info': 'panel-info'
                         }[CVSS3Scoring.severity_of(row[6])]))
                for m in db.execute(
                        'select * from analysis_issues where detector=:detector and summary=:summary and cvss3_score=:cvss3_score',
                    {
                        v: row[k]
                        for k, v in {
                            0: 'detector',
                            1: 'summary',
                            6: 'cvss3_score'
                        }.items()
                    }):
                    issue = Issue.from_analysis_issues_row(m)
                    instances.append(
                        dict(info=issue.brief_info(),
                             source=issue.source,
                             row=issue.row,
                             col=issue.col))

            app = dict(package=self._context.parsed_manifest().getroot().xpath(
                '/manifest/@package',
                namespaces=dict(
                    android='http://schemas.android.com/apk/res/android'))[0],
                       issues=len(issues),
                       issues_critical=len(
                           [_ for _ in issues if _['severity'] == 'Critical']),
                       issues_high=len(
                           [_ for _ in issues if _['severity'] == 'High']),
                       issues_medium=len(
                           [_ for _ in issues if _['severity'] == 'Medium']),
                       issues_low=len(
                           [_ for _ in issues if _['severity'] == 'Low']),
                       issues_info=len(
                           [_ for _ in issues if _['severity'] == 'Info']))
            self._write(self._template.render(app=app, issues=issues))
コード例 #30
0
ファイル: security.py プロジェクト: simhaonline/trueseeing
    def do_detect(self):
        with self.context.store() as store:
            targets = set()
            seeds = {'WebView', 'XWalkView', 'GeckoView'}

            more = True
            while more:
                more = False
                for cl in store.query().related_classes('|'.join(seeds)):
                    name = store.query().class_name_of(cl)
                    if name not in targets:
                        targets.add(name)
                        more = True
            for seed in seeds:
                targets.add('L.*%s;' % seed)

            # XXX: Crude detection
            # https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object,%2520java.lang.String)
            if self.context.get_min_sdk_version() <= 16:
                for p in store.query().invocations(
                        InvocationPattern(
                            'invoke-virtual',
                            'Landroid/webkit/WebSettings;->setJavaScriptEnabled'
                        )):
                    try:
                        if DataFlows.solved_constant_data_in_invocation(
                                store, p, 0):
                            for target in targets:
                                for q in store.query().invocations_in_class(
                                        p,
                                        InvocationPattern(
                                            'invoke-virtual',
                                            '%s->addJavascriptInterface' %
                                            target)):
                                    try:
                                        if DataFlows.solved_constant_data_in_invocation(
                                                store, q, 0):
                                            yield Issue(
                                                detector_id=self.option,
                                                confidence=IssueConfidence.
                                                FIRM,
                                                cvss3_vector=self.cvss,
                                                summary=
                                                'insecure Javascript interface',
                                                source=store.query(
                                                ).qualname_of(q))
                                    except (DataFlows.NoSuchValueError):
                                        yield Issue(
                                            detector_id=self.option,
                                            confidence=IssueConfidence.
                                            TENTATIVE,
                                            cvss3_vector=self.cvss,
                                            summary=
                                            'insecure Javascript interface',
                                            source=store.query().qualname_of(
                                                q))
                    except (DataFlows.NoSuchValueError):
                        pass

                # https://developer.android.com/reference/android/webkit/WebSettings#setMixedContentMode(int)
                if self.context.get_min_sdk_version() <= 20:
                    for q in store.query().invocations_in_class(
                            p,
                            InvocationPattern(
                                'invoke-virtual',
                                'Landroid/webkit/WebSettings;->setMixedContentMode'
                            )):
                        try:
                            val = int(
                                DataFlows.solved_constant_data_in_invocation(
                                    store, q, 0), 16)
                            if val == 0:
                                yield Issue(
                                    detector_id=self.option,
                                    confidence=IssueConfidence.FIRM,
                                    cvss3_vector=self.cvss,
                                    summary='insecure mixed content mode',
                                    info1='MIXED_CONTENT_ALWAYS_ALLOW',
                                    source=store.query().qualname_of(q))
                        except (DataFlows.NoSuchValueError):
                            pass